What is Office 1.00?
The Malwarebytes research team has determined that Office 1.00 is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Office 1.00?
You will see this screen as soon as the file is executed:
You may see a short glimpse of this one before the screenlock and after you have stopped it: How did Office 1.00 get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for a cracked Office version. How do I remove Office 1.00?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
You may have to use the systems power button to shut the system down, or if you have that option, switch user and then shut down to get the system to reboot as this program actively stops a normal shutdown.
Then boot into Safe Mode with Networking.
As an alternative: we have found that in most cases the screenlock stops when you push the F7 key.
After returning to your desktop, continue with the instructions below.
You can use the Taskmanager to End the MicrosoftOffice process:
Please download Malwarebytes to your desktop.
Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
Then click Finish.
Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Office 1.00?
No, Malwarebytes removes Office 1.00 completely.
How would the full version of Malwarebytes help protect me?
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam.
Technical details for experts
You may see these entries in FRST logs:
(Microsoft ) C:\Users\{username}\Desktop\microsoftoffice- blue Screen.exe
() C:\Program Files (x86)\Microsoft Office\MicrosoftOffice.exe
HKCU\...\Run: [SC.exe] => C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe [253952 2017-07-18] ()
C:\Program Files (x86)\Microsoft Office
Microsoft Office 1.00 (HKLM-x32\...\Microsoft Office 1.00) (Version: 1.00 - Microsoft)
Alterations made by the installer:
File system details [View: All details] (Selection)
---------------------------------------------------
Adds the folder C:\Program Files (x86)\Microsoft Office
Adds the file MicrosoftOffice.exe"="7/18/2017 3:51 PM, 253952 bytes, A
Adds the file Uninstall.exe"="9/19/2017 8:48 AM, 99895 bytes, A
Adds the file Uninstall.ini"="9/19/2017 8:48 AM, 2781 bytes, A
Registry details [View: All details] (Selection)
------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 1.00]
"DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe"
"DisplayName"="REG_SZ", "Microsoft Office 1.00"
"DisplayVersion"="REG_SZ", "1.00"
"EstimatedSize"="REG_DWORD", 346
"HelpLink"="REG_SZ", "mailto:support@microsoft.com"
"InstallDate"="REG_SZ", "20170919"
"InstallLocation"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\"
"InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\"
"Language"="REG_DWORD", 1033
"NoModify"="REG_DWORD", 1
"NoRepair"="REG_DWORD", 1
"Publisher"="REG_SZ", "Microsoft"
"UninstallString"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe"
"URLInfoAbout"="REG_SZ", "http://www.Microsoft.com/"
"VersionMajor"="REG_DWORD", 1
"VersionMinor"="REG_DWORD", 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SC.exe"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe"
Malwarebytes scan log:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 9/20/17
Scan Time: 3:04 PM
Log File: 3e2aa053-9e04-11e7-8352-080027750297.json
Administrator: Yes
-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2850
License: Premium
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320367
Threats Detected: 7
Threats Quarantined: 7
Time Elapsed: 2 min, 3 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 2
Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850
Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850
Module: 2
Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850
Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850
Registry Key: 0
(No malicious items detected)
Registry Value: 1
Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SC.EXE, Delete-on-Reboot, [77], [437097],1.0.2850
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 2
Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Delete-on-Reboot, [77], [437097],1.0.2850
Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Delete-on-Reboot, [648], [437068],1.0.2850
Physical Sector: 0
(No malicious items detected)
(end)
As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention
Save yourself the hassle and get protected.

Do the detections match the ones mentioned here:
https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/
and here:
If not, let us know and we'll investigate further.

What is Floxif?
The Malwarebytes research team has determined that Floxif is a Trojan. This trojan was designed to download other malware and send information about the infected system to a C2 server. How do I know if my computer is affected by Floxif?
This is the main screen of the program.
The version number of the infected version was 5.33
You may also see some alarms or reports regarding connections to the IP 216.126.225.148. How did Floxif get on my computer?
Trojans use different methods for distributing themselves. This particular one was offered as a download on the official server from August 15 until September 12 of 2017. How do I remove Floxif?
Our program Malwarebytes can detect and remove this trojan.
Please download Malwarebytes to your desktop.
Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
Then click Finish.
Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Floxif?
If you want to continue using CCleaner, make sure to donwload the latest version.
How would the full version of Malwarebytes help protect me?
We hope our application and this guide have helped you eradicate this trojan.
As you can see below the full version of Malwarebytes would have protected you against the Floxif trojan. It would have warned you before the trojan could install itself, giving you a chance to stop it before it became too late.
and we block the traffic to the associated IP and domains:
Technical details for experts
Possible signs in FRST logs:
(Piriform Ltd) C:\Users\{username}\Desktop\CCleaner.exe
Malwarebytes log:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 9/19/17
Scan Time: 6:48 PM
Log File: 5493b75d-9d5a-11e7-804f-080027750297.json
Administrator: Yes
-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2842
License: Premium
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320170
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 2 min, 24 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 1
Trojan.Floxif, C:\USERS\{username}\DESKTOP\CCLEANER.EXE, Quarantined, [8821], [436380],1.0.2842
Module: 1
Trojan.Floxif, C:\USERS\{username}\DESKTOP\CCLEANER.EXE, Quarantined, [8821], [436380],1.0.2842
Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO, Quarantined, [8825], [436394],1.0.2842
Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID, Quarantined, [8825], [436394],1.0.2842
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 1
Trojan.Floxif, C:\USERS\{username}\DESKTOP\CCLEANER.EXE, Quarantined, [8821], [436380],1.0.2842
Physical Sector: 0
(No malicious items detected)
(end)
As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention
Save yourself the hassle and get protected.

If you ever run into such a situation again, can you disable Ransomware protection (Settings > Protection) and try again?
Let us know please. It's the only module that could be responsible in our opinion. And if this is the case we would like to figure out why it does this in some rare occasions. Your help would be very much appreciated.

That's a relief.
I have not heard of other circumstances that this might happen.
Can you give me your version info for Malwarebytes, please? (From Settings > About)
And I will ask around if anyone else might be able to help.

Hi,
Not sure if it is related, but it might be:
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
" For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner."